PatchSiren cyber security CVE debrief
CVE-2026-44424 shellhub-io CVE debrief
ShellHub versions prior to 0.24.2 contain an authorization bypass vulnerability in the device metadata retrieval endpoint. The GET /api/devices/:uid endpoint returns complete device objects to any authenticated caller without validating namespace (tenant) ownership. An attacker with valid credentials—whether via JWT or API key—can enumerate or guess device UIDs to exfiltrate metadata from devices belonging to other tenants. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) reflects network accessibility, low attack complexity, low privileges required, and high confidentiality impact with no integrity or availability impact. The weakness maps to CWE-639: Authorization Bypass Through User-Controlled Key. No known exploitation in the wild or ransomware campaign use has been reported.
- Vendor
- shellhub-io
- Product
- shellhub
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-13
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-13
- Advisory updated
- 2026-05-18
Who should care
Organizations operating multi-tenant ShellHub deployments; security teams managing SSH gateway infrastructure; compliance officers responsible for tenant isolation guarantees; developers maintaining ShellHub forks or custom authentication integrations.
Technical summary
The vulnerability exists in the device retrieval handler where authentication is verified but authorization is not. The :uid parameter is treated as a direct object reference without verifying that the authenticated principal's tenant matches the device's namespace. This insecure direct object reference (IDOR) pattern allows cross-tenant data access. The fix in 0.24.2 adds tenant membership validation before returning device objects.
Defensive priority
medium
Recommended defensive actions
- Upgrade ShellHub to version 0.24.2 or later to enforce namespace-scoped authorization on device metadata endpoints.
- Review access logs for GET /api/devices/:uid requests that returned 200 OK responses for UIDs outside the requesting user's namespace, particularly if UIDs appear sequential or guessed.
- Implement additional monitoring for anomalous UID enumeration patterns from authenticated sessions.
- Validate that API key and JWT authentication flows both enforce the corrected authorization logic after patching.
Evidence notes
Vendor advisory confirms the endpoint behavior and fix version. NVD record provides CVSS scoring and CPE range. No KEV entry exists.
Official resources
-
CVE-2026-44424 CVE record
CVE.org
-
CVE-2026-44424 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory, Mitigation
The vulnerability was disclosed via GitHub Security Advisory and incorporated into NVD on 2026-05-13, with subsequent modification on 2026-05-18. ShellHub 0.24.2 remediates the issue by enforcing namespace-scoped authorization checks on the